Home
2020-08-25
2020-09-25
2020-10-25
2020-11-25
2020-12-25
2021-01-25
2021-02-25
| Points | Level | Category | Model | RiskId | Rationale | LastAppearance |
|---|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 | 2020-11-25 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 | 2020-12-25 |
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 | 2020-10-25 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 | 2020-12-25 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC | 2021-01-25 |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 | 2020-11-25 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 | 2021-01-25 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 | 2020-10-25 |
| 20 | 3 | PrivilegedAccounts | AccountTakeOver | P-Delegated | Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8 | 2020-08-25 |
| 20 | 2 | Anomalies | GoldenTicket | A-Krbtgt | Last change of the Kerberos password: 533 day(s) ago | 2020-08-25 |
| 15 | 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin | 2020-09-25 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory | 2020-12-25 |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 | 2020-10-25 |
| 15 | 3 | Anomalies | Backup | A-BackupMetadata | Last AD backup has been performed 3096 day(s) ago | 2020-08-25 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 | 2021-01-25 |
| 10 | 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 | 2020-09-25 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group | 2020-10-25 |
| 10 | 4 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain | 2020-12-25 |
| 10 | 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. | 2020-09-25 |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC | 2020-10-25 |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature | 2021-01-25 |
| 5 | 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. | 2020-09-25 |
| 5 | 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 | 2020-09-25 |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 | 2020-11-25 |
| Points | Level | Category | Model | RiskId | Rationale | LastAppearance |
| Date | Maturity | Global score | Total score | Anomalies | Privileged Accounts | Stale Objects | Trusts |
|---|---|---|---|---|---|---|---|
| 2020-08-25 | 1 | 100 | 751 | 184 | 360 | 82 | 125 |
| 2020-09-25 | 1 | 100 | 696 | 149 | 340 | 82 | 125 |
| 2020-10-25 | 1 | 100 | 651 | 134 | 325 | 67 | 125 |
| 2020-11-25 | 1 | 100 | 541 | 134 | 275 | 57 | 75 |
| 2020-12-25 | 1 | 100 | 445 | 134 | 185 | 51 | 75 |
| 2021-01-25 | 1 | 100 | 310 | 74 | 185 | 26 | 25 |
| 2021-02-25 | 1 | 100 | 225 | 59 | 110 | 31 | 25 |
| Date | Maturity | Global score | Total score | Anomalies | Privileged Accounts | Stale Objects | Trusts |
| Level | Category | Model | RiskId | Rationale | 2021-02-25 | 2021-01-25 | 2020-12-25 | 2020-11-25 | 2020-10-25 | 2020-09-25 | 2020-08-25 |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. | 10 | 10 | |||||
| 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 3 | Anomalies | Backup | A-BackupMetadata | Last AD backup has been performed 3096 day(s) ago | 15 | ||||||
| 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| 2 | Anomalies | GoldenTicket | A-Krbtgt | Last change of the Kerberos password: 533 day(s) ago | 20 | ||||||
| 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature | 5 | 5 | 5 | 5 | 5 | 5 | |
| 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 | 10 | 10 | 10 | 10 | 10 | 10 | |
| 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. | 5 | 5 | |||||
| 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 | 60 | 60 | 60 | 60 | 60 | ||
| 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 | 30 | 30 | 30 | 30 | 30 | 30 | 30 |
| 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. | 25 | 25 | 25 | 25 | 25 | 25 | 25 |
| 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group | 10 | 10 | 10 | ||||
| 3 | PrivilegedAccounts | AccountTakeOver | P-Delegated | Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8 | 20 | ||||||
| 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 | 25 | 25 | 25 | ||||
| 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 | 30 | 30 | 30 | 30 | |||
| 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 | 45 | 45 | 45 | 45 | 45 | 45 | 45 |
| 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 | 30 | 30 | 30 | 30 | 30 | 30 | |
| 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC | 45 | 45 | 45 | 45 | 45 | 45 | |
| 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 | 60 | 60 | 60 | 60 | |||
| 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin | 15 | 15 | |||||
| 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 | 15 | 15 | 15 | ||||
| 4 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain | 10 | 10 | 10 | 10 | 10 | ||
| 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 | 15 | 15 | 15 | 15 | 15 | 15 | 15 |
| 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 | 5 | 5 | 5 | 5 | 5 | ||
| 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 | 10 | 10 | |||||
| 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 | 5 | 5 | |||||
| 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 | 1 | 1 | 1 | 1 | |||
| 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory | 15 | 15 | 15 | 15 | 15 | ||
| 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC | 10 | 10 | 10 | ||||
| 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 | 20 | 20 | 20 | 20 | 20 | 20 | 20 |
| 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 | 50 | 50 | 50 | ||||
| 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 | 50 | 50 | 50 | 50 | 50 | ||
| Level | Category | Model | RiskId | Rationale | 2021-02-25 | 2021-01-25 | 2020-12-25 | 2020-11-25 | 2020-10-25 | 2020-09-25 | 2020-08-25 |

| Name | Object |
|---|---|
| PingCastle version | 2.9.0.0 Beta |
| Generated on | mardi 25 août 2020 |
| Report age | 1954 day(s) |
| Domain maturity | 1 |
| Domain mode | Windows2008R2 |
| Forest mode | Windows2008R2 |
The worst score out of the four items
751 pt(s)
Total score
250 pt(s)
Criticity 1
252 pt(s)
Criticity 2
219 pt(s)
Criticity 3
30 pt(s)
Criticity 4
0 pt(s)
Criticity 5
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
The evolution of the uncapped score in each category. The score may vary from the normal Ping Castle score (capped to 100), as some rules can be ignored using the exceptions.csv file. The list of ignored risk rules is available at the bottom of the page.
Risk rules resolved
| Name |
|---|
| No data available to display. |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 3 | PrivilegedAccounts | AccountTakeOver | P-Delegated | Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8 |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 20 | 2 | Anomalies | GoldenTicket | A-Krbtgt | Last change of the Kerberos password: 533 day(s) ago |
| 15 | 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 |
| 15 | 3 | Anomalies | Backup | A-BackupMetadata | Last AD backup has been performed 3096 day(s) ago |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 4 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 10 | 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
The following rules have been excluded from the calculated scores using the "exceptions.csv" file.
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| Points | Level | Category | Model | RiskId | Rationale |

| Name | Object |
|---|---|
| PingCastle version | 2.9.0.0 Beta |
| Generated on | vendredi 25 septembre 2020 |
| Report age | 1923 day(s) |
| Domain maturity | 1 |
| Domain mode | Windows2008R2 |
| Forest mode | Windows2008R2 |
The worst score out of the four items
696 pt(s)
Total score
250 pt(s)
Criticity 1
232 pt(s)
Criticity 2
184 pt(s)
Criticity 3
30 pt(s)
Criticity 4
0 pt(s)
Criticity 5
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
The evolution of the uncapped score in each category. The score may vary from the normal Ping Castle score (capped to 100), as some rules can be ignored using the exceptions.csv file. The list of ignored risk rules is available at the bottom of the page.
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 20 | 3 | PrivilegedAccounts | AccountTakeOver | P-Delegated | Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8 |
| 20 | 2 | Anomalies | GoldenTicket | A-Krbtgt | Last change of the Kerberos password: 533 day(s) ago |
| 15 | 3 | Anomalies | Backup | A-BackupMetadata | Last AD backup has been performed 3096 day(s) ago |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 4 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 10 | 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
The following rules have been excluded from the calculated scores using the "exceptions.csv" file.
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| Points | Level | Category | Model | RiskId | Rationale |

| Name | Object |
|---|---|
| PingCastle version | 2.9.0.0 Beta |
| Generated on | dimanche 25 octobre 2020 |
| Report age | 1893 day(s) |
| Domain maturity | 1 |
| Domain mode | Windows2008R2 |
| Forest mode | Windows2008R2 |
The worst score out of the four items
651 pt(s)
Total score
240 pt(s)
Criticity 1
207 pt(s)
Criticity 2
174 pt(s)
Criticity 3
30 pt(s)
Criticity 4
0 pt(s)
Criticity 5
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
The evolution of the uncapped score in each category. The score may vary from the normal Ping Castle score (capped to 100), as some rules can be ignored using the exceptions.csv file. The list of ignored risk rules is available at the bottom of the page.
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin |
| 10 | 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 |
| 10 | 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. |
| 5 | 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. |
| 5 | 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 4 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
The following rules have been excluded from the calculated scores using the "exceptions.csv" file.
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| Points | Level | Category | Model | RiskId | Rationale |

| Name | Object |
|---|---|
| PingCastle version | 2.9.0.0 Beta |
| Generated on | mercredi 25 novembre 2020 |
| Report age | 1862 day(s) |
| Domain maturity | 1 |
| Domain mode | Windows2008R2 |
| Forest mode | Windows2008R2 |
The worst score out of the four items
541 pt(s)
Total score
165 pt(s)
Criticity 1
207 pt(s)
Criticity 2
154 pt(s)
Criticity 3
15 pt(s)
Criticity 4
0 pt(s)
Criticity 5
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
The evolution of the uncapped score in each category. The score may vary from the normal Ping Castle score (capped to 100), as some rules can be ignored using the exceptions.csv file. The list of ignored risk rules is available at the bottom of the page.
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 4 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
The following rules have been excluded from the calculated scores using the "exceptions.csv" file.
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| Points | Level | Category | Model | RiskId | Rationale |

| Name | Object |
|---|---|
| PingCastle version | 2.9.0.0 Beta |
| Generated on | vendredi 25 décembre 2020 |
| Report age | 1832 day(s) |
| Domain maturity | 1 |
| Domain mode | Windows2008R2 |
| Forest mode | Windows2008R2 |
The worst score out of the four items
445 pt(s)
Total score
160 pt(s)
Criticity 1
116 pt(s)
Criticity 2
154 pt(s)
Criticity 3
15 pt(s)
Criticity 4
0 pt(s)
Criticity 5
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
The evolution of the uncapped score in each category. The score may vary from the normal Ping Castle score (capped to 100), as some rules can be ignored using the exceptions.csv file. The list of ignored risk rules is available at the bottom of the page.
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 4 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
The following rules have been excluded from the calculated scores using the "exceptions.csv" file.
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| Points | Level | Category | Model | RiskId | Rationale |

| Name | Object |
|---|---|
| PingCastle version | 2.9.0.0 Beta |
| Generated on | lundi 25 janvier 2021 |
| Report age | 1801 day(s) |
| Domain maturity | 1 |
| Domain mode | Windows2008R2 |
| Forest mode | Windows2008R2 |
The worst score out of the four items
310 pt(s)
Total score
100 pt(s)
Criticity 1
116 pt(s)
Criticity 2
89 pt(s)
Criticity 3
5 pt(s)
Criticity 4
0 pt(s)
Criticity 5
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
The evolution of the uncapped score in each category. The score may vary from the normal Ping Castle score (capped to 100), as some rules can be ignored using the exceptions.csv file. The list of ignored risk rules is available at the bottom of the page.
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 10 | 4 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
The following rules have been excluded from the calculated scores using the "exceptions.csv" file.
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| Points | Level | Category | Model | RiskId | Rationale |

| Name | Object |
|---|---|
| PingCastle version | 2.9.0.0 Beta |
| Generated on | jeudi 25 février 2021 |
| Report age | 1770 day(s) |
| Domain maturity | 1 |
| Domain mode | Windows2008R2 |
| Forest mode | Windows2008R2 |
The worst score out of the four items
225 pt(s)
Total score
60 pt(s)
Criticity 1
76 pt(s)
Criticity 2
84 pt(s)
Criticity 3
5 pt(s)
Criticity 4
0 pt(s)
Criticity 5
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
The evolution of the uncapped score in each category. The score may vary from the normal Ping Castle score (capped to 100), as some rules can be ignored using the exceptions.csv file. The list of ignored risk rules is available at the bottom of the page.
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| Points | Level | Category | Model | RiskId | Rationale |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
The following rules have been excluded from the calculated scores using the "exceptions.csv" file.
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| Points | Level | Category | Model | RiskId | Rationale |